On 04/19/2013 10:34 AM, Tom Eastep wrote: > On 04/19/2013 10:26 AM, Tom Eastep wrote: > >> Okay -- here is the complete patch. >> >> This also allows the simple form: >> >> Rules: >> >> SECTION INPUT >> NFACCT(all) - +dmz-net(dmz_in) >> >> SECTION OUTPUT >> NFACCT(all) - - +dmz-net(dmz_out) >> >> SECTION FORWARD >> NFACCT(all) - +dmz-net(dmz_fwd) >> COUNT - - +dmz-net(dmz_fwd) > > Note that with this patch, you *must* use the above form rather than: > > NFACCT(dmz_fwd) - - +dmz-net > > In this form, the ipset match gets added to the rule *after* the nfacct > match. >
That is corrected in this additional patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 22501c1..4ec5df0 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6951,7 +6951,7 @@ sub expand_rule( $$$$$$$$$$;$ )
{
my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST
- $rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
+ $callersrule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
@@ -6971,6 +6971,7 @@ sub expand_rule( $$$$$$$$$$;$ )
my ( $jump, $mac, $targetref, $basictarget );
our @ends = ();
my $deferdns = $config{DEFER_DNS_RESOLUTION};
+ my $rule = '';
if ( $target ) {
( $basictarget, my $rest ) = split ' ', $target, 2;
@@ -7077,7 +7078,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
( $rule, $done ) = handle_exclusion( $disposition,
$table,
- $rule,
+ $rule . $callersrule,
$restriction,
$inets,
$iexcl,
@@ -7114,7 +7115,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $dnet ( split_host_list( $dnets, $deferdns ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet, $restriction );
- my $matches = join( '', $rule, $source_match, $dest_match, $onet );
+ my $matches = join( '', $source_match, $dest_match, $onet, $rule, $callersrule );
my $cond3 = conditional_rule( $chainref, $dnet );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
